VPN proxy does not give the apps access to VPN's private network

[rhusiev]

I have a wireguard VPN that acts as a way to connect to my computer(in my case for KDE Connect) even when on a different network.

With the just Wireguard app it works fine, but when I connect to the same peer from Rethink, the connection is lost. Even though my phone(android 13) and computer(fedora linux) are on the same private network and can both ping each other, the kde connect can't find.
The problem is definitely not with the computer or the VPN, as it all worked before adding Rethink to the mix.

I tried excluding, bypassing universally and only DNS & firewall, allowing the IPs and ports for the specific app and universally, but nothing worked.

I was able to make KDE Connect work when both the Linux and Android machines are on the same WIFI and I remove KDE Connect from being sent to DNS, but I can't find how to allow it to access VPN's private network freely

[ignoramous]

As a workaround, turn ON Configure -> Network -> Do not route Private IPs and see things work.

Keep in mind that, the WireGuard impl in Rethink is more of a TCP/UDP L4 proxy and not an IPsec-esuqe L3 VPN.

Also, ICMP and DNS do not get tunneled through WireGuard (this is an Android limitation). For DNS, there's an approximation we have identified to fool apps into split-tunneling their DNS to appropriate WireGuard channels, but it is planned for a later release: #979

Also, does KDE Connect rely on multicast DNS? If so, that is broken in v055 (but hopefully, we fix it soon): #1005

[rhusiev]

The "Do not route Private IPs" option just sends the KDE Connect(and other programs connecting to local IPs) to the local network, for example WIFI.

In my use case I need it to be able to connect to another device on the same Virtual network.

I believe it has nothing to do with DNS, as KDE Connect tries to find local IPs and not domains. However even though I can ping the other device from termux, the KDE Connect can't interact with it(Maybe, it's a port issue or something else)

[ignoramous]

Gotcha.

I believe it has nothing to do with DNS, as KDE Connect tries to find local IPs

Hm, is there a documentation about how KDE Connect works (networking-wise)? Rethink's impl of WireGuard is at L4 (TCP / UDP layer) as opposed to L3 (like in the official WireGuard app). I wonder if that is incompatible with however KDE Connect is trying to "find local IPs".

Are you using IPv6 within your wg tunnel / peer routes by any chance?

[rhusiev]

I don't use IPv6 and I am not competent enough to understand all the intricacies of L4, L3 and how KDE Connect works on a network level, so, unfortunately, I won't be able to help with this.

For now I use the Do not route Private IPs, but it only works when both devices are connected to the same wifi.

[ignoramous]

Related: safing/portmaster#667

And: Catfriend1/syncthing-android#735

See also: xjasonlyu/tun2socks#245

[ignoramous]

Possibly also related to scenario where Termux forwarding connections to WireGuard doesn't work:

• v055d: SOCKS5 via Termux, RDNS Default do not work #1323

[splattergamesextended]

This issue is still ongoing. I can't connect to KDE Connect at all, even when ticking the "Do not route Private IPs" setting. As already described by OP, there are no problems with WG-Tunnel (and I assume the official WireGuard app).
If it helps troubleshoot, KDE Connect seems to rely on UDP discovery. I can see the broadcast address being called by KDE Connect (255.255.255.255) in the Rethink logs when the VPN is turned off, so I assume somewhere in there is a problem. Would be great if someone could look into it, since I'm not able to use KDE Connect with Rethink at all as of right now.